cos413day3
DESCRIPTION
& concept explained easilyTRANSCRIPT
![Page 1: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/1.jpg)
COS/PSA 413COS/PSA 413
Day 3
![Page 2: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/2.jpg)
Guide to Computer Forensics and Investigations, 2e 2
AgendaAgenda
• Questions?
• Assignment 1 due
• Lab Write-ups (project 2-1 and 2-2) due next class
• Lab Recap and After Action Report
• Begin Discussion on Working with Windows and DOS Systems– Chapter 3 in 1e and Chapter 7 in 2e
![Page 3: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/3.jpg)
Guide to Computer Forensics and Investigations, 2e 3
Lab 1 RecapLab 1 Recap
• Always know what are going to do before you sit down at the forensics workstations– Methodical not “hack and slash”– Requires reading and prior prep
• Learn DOS– Most forensics work is down at low levels (not GUI) – http://www.glue.umd.edu/~nsw/ench250/dostutor.ht
m• Have part of the lab report started before the lab
– Know what it is you are looking for
![Page 4: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/4.jpg)
Guide to Computer Guide to Computer Forensics and Forensics and Investigations Investigations
Chapter 3Working with Windows
and DOS Systems
![Page 5: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/5.jpg)
Guide to Computer Forensics and Investigations, 2e 5
ObjectivesObjectives
• Understand file systems
• Explore Microsoft file structures
• Examine New Technology File System (NTFS) disks
![Page 6: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/6.jpg)
Guide to Computer Forensics and Investigations, 2e 6
Objectives (continued)Objectives (continued)
• Understand the Windows Registry
• Understand Microsoft boot tasks
• Understand MS-DOS startup tasks
![Page 7: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/7.jpg)
Guide to Computer Forensics and Investigations, 2e 7
Understanding File SystemsUnderstanding File Systems
• Understand how OSs work and store files
• CompTIA A+ certification
• File system– Road map to data on a disk– Determines how data is stored on disk
• Become familiar with file systems
![Page 8: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/8.jpg)
Guide to Computer Forensics and Investigations, 2e 8
Understanding the Boot SequenceUnderstanding the Boot Sequence
• Avoid data contamination or modification
• Complementary Metal Oxide Semiconductor (CMOS)– Stores system configuration, data, and time
• BIOS– Performs input/output at hardware level
![Page 9: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/9.jpg)
Guide to Computer Forensics and Investigations, 2e 9
Understanding the Boot Sequence Understanding the Boot Sequence (continued)(continued)
• Make sure computer boots from a floppy disk– Modify CMOS– Accessing CMOS depends on the BIOS
• Delete key
• Ctrl+Alt+Insert
• Ctrl+A
• Ctrl+F1
• F2
• F12
![Page 10: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/10.jpg)
Guide to Computer Forensics and Investigations, 2e 10
Understanding the Boot Sequence Understanding the Boot Sequence (continued)(continued)
![Page 11: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/11.jpg)
Guide to Computer Forensics and Investigations, 2e 11
Understanding Disk DrivesUnderstanding Disk Drives
• Composed of one or more platters
• Elements of a disk:– Geometry– Head– Tracks– Cylinders– Sectors
![Page 12: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/12.jpg)
Guide to Computer Forensics and Investigations, 2e 12
Understanding Disk Drives (continued)Understanding Disk Drives (continued)
![Page 13: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/13.jpg)
Guide to Computer Forensics and Investigations, 2e 13
Understanding Disk Drives (continued)Understanding Disk Drives (continued)
• Cylinder, head, sector (CHS) calculation– 512 bytes per sector– Tracks contain sectors– Number of bytes on a disk
• Cylinders (platters) x Heads (tracks) x sectors
• First track is track 0– So if a disc list 79 tracks (like a floppy) does, it has
80 tracks
![Page 14: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/14.jpg)
Guide to Computer Forensics and Investigations, 2e 14
![Page 15: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/15.jpg)
Guide to Computer Forensics and Investigations, 2e 15
Understanding Disk Drives (continued)Understanding Disk Drives (continued)
• Zoned bit recording (ZBR)– Platter’s inner tracks are smaller than outer tracks– Group tracks by zone
• Track density– Space between each track
• Areal density– Number of bits on one square inch of a platter
![Page 16: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/16.jpg)
Guide to Computer Forensics and Investigations, 2e 16
Exploring Microsoft File StructuresExploring Microsoft File Structures
• Need to understand– FAT– NTFS
• Sectors are grouped on clusters– Storage allocation units of at least 512 bytes– Minimize read and write overhead
• Clusters are referred to as logical addresses
• Sectors are referred to as physical addresses
![Page 17: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/17.jpg)
Guide to Computer Forensics and Investigations, 2e 17
Disk PartitionsDisk Partitions
• Logical drive
• Hidden partitions or voids– Large, unused gaps between partitions– Also known as partition gaps– Can hide data
• Use a disk editor to change partitions table– Norton Disk Edit– WinHex, Hex Workshop– http://www.x-ways.net/winhex/index-m.html
![Page 18: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/18.jpg)
Guide to Computer Forensics and Investigations, 2e 18
Disk Partitions (continued)Disk Partitions (continued)
![Page 19: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/19.jpg)
Guide to Computer Forensics and Investigations, 2e 19
Disk Partitions (continued)Disk Partitions (continued)
• Disk editor additional functions– Identify OS on an unknown disk– Identify file types
![Page 20: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/20.jpg)
Guide to Computer Forensics and Investigations, 2e 20
Disk Partitions (continued)Disk Partitions (continued)
![Page 21: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/21.jpg)
Guide to Computer Forensics and Investigations, 2e 21
![Page 22: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/22.jpg)
Guide to Computer Forensics and Investigations, 2e 22
Disk Partitions (continued)Disk Partitions (continued)
![Page 23: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/23.jpg)
Guide to Computer Forensics and Investigations, 2e 23
![Page 24: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/24.jpg)
Guide to Computer Forensics and Investigations, 2e 24
Master Boot RecordMaster Boot Record
• Stores information about partitions– Location– Size– Others
• Software can replace master boot record (MBR)– PartitionMagic– LILO– Can interfere with forensics tasks– Use more than one tool
![Page 25: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/25.jpg)
Guide to Computer Forensics and Investigations, 2e 25
Examining FAT DisksExamining FAT Disks
• FAT was originally developed for floppy disks– Filenames, directory names, date and time stamps,
starting cluster, attributes
• Typically written to the outermost track
• Evolution– FAT12– FAT16– FAT32
![Page 26: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/26.jpg)
Guide to Computer Forensics and Investigations, 2e 26
Examining FAT Disks (continued)Examining FAT Disks (continued)
![Page 27: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/27.jpg)
Guide to Computer Forensics and Investigations, 2e 27
Examining FAT Disks (continued)Examining FAT Disks (continued)
• Drive slack– Unused space on a cluster– RAM slack
• Can contain logon IDs and passwords
• Common on older systems
– File slack• Bytes not used on the sector by the file
• FAT16 unintentionally reduced fragmentation
![Page 28: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/28.jpg)
Guide to Computer Forensics and Investigations, 2e 28
Examining FAT Disks (continued)Examining FAT Disks (continued)
![Page 29: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/29.jpg)
Guide to Computer Forensics and Investigations, 2e 29
Examining FAT Disks (continued)Examining FAT Disks (continued)
• Cluster chaining– File clusters are together (when possible)
• Produces fragmentation
• Tools– Norton DiskEdit– DriveSpy’s Chain Fat Entry (CFE) command
• Rebuilding broken chains can be difficult
![Page 30: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/30.jpg)
Guide to Computer Forensics and Investigations, 2e 30
Examining FAT Disks (continued)Examining FAT Disks (continued)
![Page 31: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/31.jpg)
Guide to Computer Forensics and Investigations, 2e 31
![Page 32: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/32.jpg)
Guide to Computer Forensics and Investigations, 2e 32
Deleting FAT FilesDeleting FAT Files
• Filename in FAT database starts with HEX E5
• FAT chain for that file is set to zero
• Free disk space is incremented
• Actual data remains on disk
• Can be recovered with computer forensics tools
![Page 33: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/33.jpg)
Guide to Computer Forensics and Investigations, 2e 33
Examining NTFS DisksExamining NTFS Disks
• First introduced with Windows NT
• Spin off HPFS– From IBM O/S 2
• Provides improvements over FAT file systems– Stores more information about a file
• Microsoft’s move toward a journaling file system– Keep track of transactions– Can be rolled back
![Page 34: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/34.jpg)
Guide to Computer Forensics and Investigations, 2e 34
Examining NTFS Disks (continued)Examining NTFS Disks (continued)
• Partition Boot Sector starts at sector 0
• Master File Table (MFT)– First file on disk– Contains information about all files on disk
(meta-data)
• Reduces slack space
• NTFS uses Unicode– UTF-8, UTF-16, UTF-32
![Page 35: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/35.jpg)
Guide to Computer Forensics and Investigations, 2e 35
Examining NTFS Disks (continued)Examining NTFS Disks (continued)
![Page 36: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/36.jpg)
Guide to Computer Forensics and Investigations, 2e 36
NTFS File AttributesNTFS File Attributes
• All files and folders have attributes
• Resident attributes– Stored in the MFT
• Nonresident attributes– Everything that can be stored on the MFT
• Uses inodes for nonresident attributes
• Logical and virtual cluster numbers– LCN and VCN
![Page 37: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/37.jpg)
Guide to Computer Forensics and Investigations, 2e 37
NTFS Data StreamsNTFS Data Streams
• Data can be appended to a file when examining a disk– Can obscure valuable evidentiary data
• Additional data attribute of a file
• Allow files be associated with different applications
![Page 38: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/38.jpg)
Guide to Computer Forensics and Investigations, 2e 38
NTFS Compressed FilesNTFS Compressed Files
• Improve data storage– Compression similar to FAT DriveSpace 3
• File, folders, or an entire volume can be compressed
• Transparent when working with Windows XP, 2000, or NT
• Need to decompress it when analyzing– Advanced tools do it automatically
![Page 39: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/39.jpg)
Guide to Computer Forensics and Investigations, 2e 39
NTFS Encrypted File System (EFS)NTFS Encrypted File System (EFS)
• Introduced with Windows 2000
• Implements a public key/private key encryption method
• Recovery certificate– Recovery mechanisms in case of a problem
• Works for local workstations or remote servers
![Page 40: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/40.jpg)
Guide to Computer Forensics and Investigations, 2e 40
Deleting NTFS FilesDeleting NTFS Files
• Similar to FAT
• NTFS is more efficient than FAT– Reclaiming deleted space– Deleted files are overwritten more quickly
![Page 41: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/41.jpg)
Guide to Computer Forensics and Investigations, 2e 41
Understanding the Windows RegistryUnderstanding the Windows Registry
• Database that stores:– Hardware and software configuration– User preferences (user names and passwords)– Setup information
• Use Regedit command for Windows 9x
• Use Regedt32 command for Windows XP and 2000
• FTK Registry Viewer
![Page 42: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/42.jpg)
Guide to Computer Forensics and Investigations, 2e 42
Understanding the Windows Registry Understanding the Windows Registry (continued)(continued)
• Windows 9x Registry– User.dat– System.dat
• Windows 2000 and XP Registry– \Winnt\System32\Config– \Windows\System32\Config– System, SAM, Security, Software, and NTUser.dat
![Page 43: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/43.jpg)
Guide to Computer Forensics and Investigations, 2e 43
Understanding the Windows Registry Understanding the Windows Registry (continued)(continued)
![Page 44: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/44.jpg)
Guide to Computer Forensics and Investigations, 2e 44
Understanding Microsoft Boot TasksUnderstanding Microsoft Boot Tasks
• Prevent damaging digital evidence
• OSs alter files when computer starts up
![Page 45: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/45.jpg)
Guide to Computer Forensics and Investigations, 2e 45
Windows XP, 2000 and NT StartupWindows XP, 2000 and NT Startup
• Steps:– Power-on self test (POST)– Initial startup– Boot loader– Hardware detection and configuration– Kernel loading– User logon
![Page 46: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/46.jpg)
Guide to Computer Forensics and Investigations, 2e 46
Startup Files for Windows XPStartup Files for Windows XP
• Files used during boot process:– NTLDR– Boot.ini– BootSec.dos– NTDetect.com– NTBootdd.sys– Ntoskrnl.exe– Hal.dll– Device drivers
![Page 47: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/47.jpg)
Guide to Computer Forensics and Investigations, 2e 47
Windows XP System FilesWindows XP System Files
![Page 48: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/48.jpg)
Guide to Computer Forensics and Investigations, 2e 48
Windows 9x and Me StartupWindows 9x and Me Startup
• Windows Me cannot boot to a true MS-DOS mode• Windows 9x OSs have two modes
– DOS protected-mode interface (DPMI)• Command prompt from boot menu
– Protected-mode GUI• Dos shell in windows
• Startup files– Io.sys– Msdos.sys– Command.com
![Page 49: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/49.jpg)
Guide to Computer Forensics and Investigations, 2e 49
Windows 9x and Me Startup Windows 9x and Me Startup (continued)(continued)
![Page 50: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/50.jpg)
Guide to Computer Forensics and Investigations, 2e 50
Understanding MS-DOS Startup TaskUnderstanding MS-DOS Startup Task
• Io.sys– Loaded after the ROM bootstrap– Finds the disk drive– Provides basic input/output services
• Msdos.sys– Loaded after Io.sys– Actual kernel for MS-DOS– Looks for Config.sys
![Page 51: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/51.jpg)
Guide to Computer Forensics and Investigations, 2e 51
Understanding MS-DOS Startup Task Understanding MS-DOS Startup Task (continued)(continued)
• Msdos.sys (continued)– Loads Command.com– Loads Autoexec.bat
• Config.sys– Commands run only at system startup
• Autoexec.bat– Customized setting for MS-DOS– Define default path and environmental variables
![Page 52: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/52.jpg)
Guide to Computer Forensics and Investigations, 2e 52
Other Disk Operating SystemsOther Disk Operating Systems
• Control Program for Microprocessors (CP/M)
• Digital Research Operating System (DR-DOS)
• Personal Computer Disk Operating System (PC-DOS)– Developed by IBM
![Page 53: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/53.jpg)
Guide to Computer Forensics and Investigations, 2e 53
DOS Commands and Batch FilesDOS Commands and Batch Files
• Batch files– Fixed sequence of DOS commands– Ideal for repetitive tasks
• Batch files work like a single command
• MS-DOS supports parameter passing and conditional execution– Can pass up to 10 parameters
![Page 54: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/54.jpg)
Guide to Computer Forensics and Investigations, 2e 54
DOS Commands and Batch Files DOS Commands and Batch Files (continued)(continued)
![Page 55: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/55.jpg)
Guide to Computer Forensics and Investigations, 2e 55
DOS Commands and Batch Files DOS Commands and Batch Files (continued)(continued)
![Page 56: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/56.jpg)
Guide to Computer Forensics and Investigations, 2e 56
SummarySummary
• FAT– FAT12, FAT16, and FAT32
• Windows Registry keeps hardware and software configuration and preferences
• CHS calculation
• NTFS
• Look for hidden information on file, RAM, and drive slack
![Page 57: Cos413day3](https://reader035.vdocument.in/reader035/viewer/2022070316/555895c6d8b42a2a738b4762/html5/thumbnails/57.jpg)
Guide to Computer Forensics and Investigations, 2e 57
Summary (continued)Summary (continued)
• NTFS uses Unicode to store information
• Hexadecimal codes identify OSs and file types
• NTFS uses inodes to link file attribute records– Resident and nonresident
• NTFS compressed files
• NTFS encrypted files (EFS)